Craig McLean wrote: >> >> * The spamd/spamass-milter processes should not run as root (user >> 'spamassassin'). > > I gather from your previous mail that you already run this as > "spamassassin". Make sure it owns the bayes files defined by > bayes_path. I created a subdirectory owned by the user and let SA get > on with it. > I had tried running as 'spamassassin', but ran into difficulties. In particular, it kept giving errors that it couldn't open /root/.spamassassin/user_prefs for writing, even when I made the file and the directory wide-open (777). Since I seem to recall seeing somewhere that I should make changed to the user_prefs and not the local.cf (as that might be updated and overwritten with upgrades), I had been using the user_prefs instead. I even went to the point of setting up a wide-open user_prefs file in a wide open directory, and linking to that for all users, but that didn't help (it still looked only for the one in the root home dir)
>> * I want a single set of user preferences/bayes DB. >> While additional user preferences could in theory be OK, >> I want only one Bayes DB. > > OK, the prefs in /etc/mail/spamassassin/*.cf and the bayes BD in > bayes_path then. > I think I'm there now; when I tried to use the -u flag on the startup command for spamassassin and spamass-milter, I got checks to each individual user. >> * As the above may mention, I want to use the Bayes DB for learning >> and auto-learning. > > Should work fine as long as the user running spamd owns the > directory/files used by bayes. > So far this seems to be working. >> * I want tagged spam to rewrite the subject. >> * I want to attch the original message to the report. > > looks like that's set up fine, judging by your local.cf > I'm getting header tags, but I'm not getting message rewriting/attachment, or a subject rewrite. >> * I want to use RBLs for things not covered otherwise in sendmail >> (i.e. for URLs in the messages) > > Make sure you have the perl Net::DNS stuff installed. Check with > 'spamassassin -D --lint, look for: > debug: is Net::DNS::Resolver available? yes > I *think* this is set up correctly; I'm not currently getting any errors that I can see. That line is indeed present. > >> * Eventually, I may drop egregious spam examples, >> but I'm not sure I want to do that yet. > > Well, it can be done if you choose to. > Not only that, but it seems to be happening now! I vaguely remember seeing which config file would control this, but re-Googling for it doesn't turn anything up now. Damn this memory! >> What seems to happen is that I can get some subset of these things, >> but not >> all at once. Additionally, while I often think I've got things >> working >> correctly, they appear to change randomly from working to >> non-working. > > Can you be more specific? What's not working? Any error messages in > messages/maillog/&c. > At this particular moment, the big problem is the subject/message rewriting. But then I'm still running as root (or, apparently, 'nobody') and I'm not sure this is the best thing to do. >> The last point, on dropping spam, seems to be happening anyway. From >> what I can >> tell, anything with a score greater than 15 is being rejected >> automatically. >> This is seriously reducing my spam load. > > That may well be a function of how SA/sendmail are configured on > Fedora? > It could be - but that wasn't happening as of Friday. I was seeing scores into the 20s come through - but tagged/rewritten. >> As I mentioned last week, I was getting "autolearn=failed" when >> BAYES_00 was >> the only rule that hit. If I got ANY other rule that also hit, >> autolearn did >> not fail. At least part of the problem there had to do with creating >> the >> lock file for the Bayes DB; Even though I thought I was running as >> root, and >> root owned the directory in question (/etc/mail/spamassassin) I >> needed to >> open the permissions in order for things to work correctly. > > I'd imagine that spamd runs as root only for long enough to create the > priv'd socket it needs, and then drops privs. I have everything in > /var/bayesdb/bayes_* and /var/bayesdb is 755 owned by 'spam' user > (which runs the milter/spamd). /etc/mail/spamassassin is 755 owned by > root. No problems.. > I've tried to move things off to a new directory /SA-shared. The Bayes DB is there now. but I'm still back to running as root, to avoid the user_prefs errors mentioned above. >> >>> From what I see now, this is because if root is running it then the >>> user >> shifts to 'nobody'. This is damn inconvenient. So, I've tried to >> shift to >> using user 'spamassassin' by using the "-u spamassassin" switch on >> both >> spamd and spamass-milter. When I do this, though, I can't actually >> read the >> user_prefs file for user root. But why am I even trying to open it >> for root, >> when spamassassin is the UID? > > Why not combine the user_prefs and the local.cf, and move the > whitelist somewhere where 'spamassassin' user can read/write to it? > I don't think I'm getting errors on the whitelist, just user_prefs. But I *could* combine the user_prefs and local.cf files (I did that briefly, but I thought that was a bad idea for some reason or another). >> The biggest problem right now is that for some reason message >> rewriting has >> stopped for spam messages. The header is tagged correctly, but the >> message >> is never rewritten. From my local.cf file (below), it looks like >> this >> should be happening. I don't know of any change I made which could >> account >> for this, and indeed this seemed to happen overnight, when I didn't >> do >> anything. > > [snip] > The config looks ok to me, but I'm no expert. Any error messages in > /var/log/maillog (or wherever on Fedora), or in the output from > spamassassin -D --lint? > I'm not seeing any error in maillog (yes, you've got the location correct) nor anything in 'spamassassin -D --lint'. Running the latest message itself through spamassassin -D shows that it is tagged correctly, and indeed it is being rewritten properly (sbject and body). I ran that test as root; this must have something to do with user IDs but I'm seeing no errors that I can find. >> >> http://www.eruditer.org:6080/spamassassin/local.cf >> http://www.eruditer.org:6080/spamassassin/root-user_prefs >> http://www.eruditer.org:6080/spamassassin/sysconfig-spamassassin >> http://www.eruditer.org:6080/spamassassin/sysconfig-spamassassin-milter > > Can't get to those URL's, timeout... > Hmm... It seems to be working from the outside; perhaps you're on a firewall that blocks my "special" port? Unfortunately, my ISP doesn't want me to run on port 80. I think I posted the first two anyway; the latter two are the startups from the /etc/sysconfig directory. I'll post those if you think it's helpful, or anything else for that matter... Thanks for your help! -Don
